The Rise Of Ransomware 2.0: How Attacks Are Evolving And What You Need To Know

Ransomware is changing with the times. The original modus operandi of crypto ransomware attackers was to gain access to your network or computer, inject and activate malware that encrypts data, locking users out of their machines, and finally demanding a ransom — usually in cryptocurrency, as with the WannaCry ransomware of 2017 — for the decryption key. With ransomware 2.0, attackers have better capabilities, more sophisticated techniques, and they further tailor the attack to the victim. The biggest difference between older and new ransomware methods is the use of double or triple extortion – instead of just encrypting your data and rendering it inaccessible until a ransom is paid, ransomware 2.0 attackers now often steal sensitive data, and use it to apply more pressure.

The victims may have backups to recover data from, but are threatened with the stolen data being exposed or used to damage customers and partners. Victims have no guarantee even if they pay the ransom, as the attackers still have the data, and may use it anyway. There are several types of ransomware apart from crypto ransomware, including screen-locking ransomware (common with mobile ransomware), which instead of encrypting its data, locks the device, and shows a ransom demand. Leakware or doxware steals data, and may also encrypt it, while wipers, or destructive ransomware, destroys data.

How are ransomware attacks evolving?

Today's ransomware is often a multi-stage process that uses reconnaissance to identify the right target within an organization, then gains access to that machine or network — often by phishing and social engineering. From that point, the ransomware is designed to evade detection, exploit vulnerabilities, and infect more machines. The notorious WannaCry ransomware, thought to have been deployed by North Korea, was a cryptoworm that spread itself across a network, infecting over 200,000 computers across the world. Modern ransomware is often aimed at cloud storage and SaaS platforms — targeting those organizations that store their data and applications there. This became more common after the transition to remote work during the COVID-19 pandemic.

Another feature of Ransomware 2.0 is that it's often a tool that is developed by a separate party from the attacker, in a phenomenon called Ransomware-as-a-Service (or RaaS). With RaaS, lower-skilled attackers — known as affiliates — can use sophisticated ransomware tools developed by specialists, with the ransom being split between the parties.

Recent attacks have also shown a new ransomware vector — infecting the software supply chain. Organizations and other victims downloading what appears to be an official application or software patch get ransomware instead. Supply chain hijacking could potentially affect a large number of users with a single infiltration. Another vector seen recently is called thread hijacking, where ransomware attackers infiltrate the online conversations of an organization to deploy the malware.

What else separates ransomware 2.0 from its predecessors?

Ransomware has come a long way since its roots in the simplistic AIDS Trojan or P.C. Cyborg malware from the last century, and has become a sophisticated and lucrative product developed with the intent of being sold as RaaS. RaaS malware is sold on the dark web, and RaaS distributors have recently been spending money to recruit affiliates. Ransomware developers have even been known to acquire different malware strains to maximize the effectiveness of their illegal business. Today, ransomware is often targeted at specific organizations and individuals, with customized attacks, designed to reap the most profit, and apply pressure to pay.

Modern ransomware is also significantly more sophisticated than earlier malware in that it uses automated tools and methods that let attackers quickly find vulnerabilities, spread the malware across networks, and take specific sensitive data. With the increased sophistication, there is also wider collaboration amongst ransomware actors. Such threat actors often form partnerships with each other, and even share resources, making it more difficult for organizations, governments, and security teams to counter the issue.

The increased prevalence of cryptocurrencies is also a factor in ransomware, as most ransom payments are traditionally in this form or some other difficult-to-track payment method. Ransomware actors are highly adaptable, researchers are finding, and they are adopting new, even-harder-to-trace, privacy-focused cryptocurrencies like Monero and Zcash. This is making it harder for cybersecurity and government agencies to trace ransom payments.

How should you deal with ransomware 2.0?

With ransomware, as with most cybersecurity threats, — prevention is better than cure. To this end, organizations need to invest in their data security, using different types of cybersecurity solutions, from endpoint protection to network monitoring tools, as well as well-defined identity and access controls that include multi-factor authentication and network segmentation. AI-based threat detection is an increasingly popular line of defense against ransomware, alongside proactive threat hunting. Vulnerability assessments should be carried out, and a formal incident response plan should be formulated to help detect and fix breaches faster.

Another important aspect of prevention is to train company staff in cyber-hygiene, as well as identifying and avoiding phishing and social engineering attempts. Companies should also keep all their software up to date, applying the latest patches to ensure vulnerabilities are fixed soon after being identified. Data should also be kept encrypted by the organizations, and regularly backed up, both in the cloud and offline.

Finally, if all the prevention wasn't enough, and you do fall victim to ransomware — you should contact law enforcement. Aside from this being mandatory for certain organizations, law enforcement may be able to obtain the decryption key, or trace the attacker. It is advised not to pay, as there is no guarantee you will recover your data; it may still be exposed even after payment, and you would be funding criminals to continue.